Receive notification from server

J

jdn1976

Verified User
Joined
Mar 30, 2020
Messages
107
Hello, I am again asking some doubts because I want to migrate my accounts to a DA panel.
Well, this time is:

see print attached. On cPanel have a field to send notifications from server when someone login, etc.
Is there any option like this to receive notifications by email from DA when someone login, brute force attack, etc?
 

Attachments

  • Captura de Tela 2020-04-08 às 07.59.09.png
    Captura de Tela 2020-04-08 às 07.59.09.png
    15.3 KB · Views: 32
There is no notifications for successful logins, only for brootforce (after 100 attempts by default).
You can use own script in cron that will parse access logs and send You notifications.
 
I initially thought about using CSF/LFD for this, however, I didn't find any login notification feature to match for DA (there is such a feature for

I found a login_pre.sh script and thought that we'd be able to make a login_post.sh script something like this to manage this:

Code: 
[root@host directadmin]# cat /usr/local/directadmin/scripts/custom/login_post.sh
#!/bin/sh

content=`tail -1  /var/log/directadmin/login.log`

echo "$content" | mail -s "NEW LOGIN" root@`hostname` -aFrom:ROOT\<root@`hostname`\>

exit 0;
[root@host directadmin]#

Then run this:

Code: 
chmod 700 /usr/local/directadmin/scripts/custom/login_post.sh
chown diradmin.diradmin /usr/local/directadmin/scripts/custom/login_post.sh

I tested the script like so:
Code: 
sh /usr/local/directadmin/scripts/custom/login_post.sh

And my email sent to root was forwarded as expected with the desired content to the email address I have set as my root forwarder in /root/.forward, however, when I logged in, it did not work. :(

I searched the DA versions system for any mention of a login_post.sh command and found none despite finding a login_pre.sh command. There was also no mention of a login_post.sh in /usr/local/directadmin/scripts/custom/README. Perhaps we can request this as a feature? @smtalk
 
With the excellent help of the DA staff, they helped me create a script to notify me of admin logins, here it is below, you can customize it yourself as well.:

Code: 
vi /usr/local/directadmin/scripts/custom/session_create_pre.sh

Put this in it and update your my.hostname.com with your actual hostname:

Code: 
#!/bin/sh
content="session_id: $session_id : ip=$ip username=$username referer=$referer";
L=/tmp/logins
if [ "${username}" = "admin" ]; then 
    date >> $L
    chmod 600 $L
    echo $content >> $L
    echo "$content" | mail -s "Admin Monitoring at `hostname --fqdn` : Admin login alert" [email protected] -aFrom:ROOT\<[email protected]\>
fi
exit 0;

Code: 
chmod 755 /usr/local/directadmin/scripts/custom/session_create_pre.sh
 
experttechit said:
With the excellent help of the DA staff, they helped me create a script to notify me of admin logins, here it is below, you can customize it yourself as well.:

Code: 
vi /usr/local/directadmin/scripts/custom/session_create_pre.sh
Click to expand...

I did not even think about session_create_pre.sh! Which makes sense since that would be ran post- login since the login would need to succeed in order to create the session. DOH!
 
Thanks @scriptkitty for the original script and @experttechit for the updated script.

The script is working fine using the session_create_pre.sh file. However, it seems to fire before the /var/log/directadmin/login.log file has updated and sends the last login not the most recent one.
 
Maybe tell it to sleep for 5s at the start of the script and see if that works?
 
https://docs.directadmin.com/developer/hooks/authentication#session_create_presh states this:

Be sure to exit with a zero-status. If you exit with a non-zero status, the write of the session file will be aborted, and the login won't work.

It also states this:

Note that API calls DO NOT use session files, so this should not be a login filter.

Perhaps the following, but you wouldn't be notified of the generated session until its about to be removed:

https://docs.directadmin.com/developer/hooks/authentication#session_destroy_presh

If a session is to be destroyed due to old age, or due to logout, session_destroy_pre.sh will be called just before the session file at /usr/local/directadmin/data/sessions/sess_XXX is removed.

I guess we're back to requesting either a login_post.sh (I'm assuming we'd need this for both session logins and for API logins over the session_create_post.sh).

You could alternatively write a bash script to monitor for new session files /usr/local/directadmin/data/sessions/sess_XXX , run via cron every minute or at whatever interval desired, and then have it send the email when a new session file is detected containing the latest contents of the login log or the IP and username for the login from the session file itself.
 
Last edited:
You must log in or register to reply here.
Back
Top